Opened 8 years ago

Last modified 2 years ago

#3241 new defect

Seeing lots of "crypto error while reading public key from string" on DA

Reported by: linus Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-dirauth easy log-severity
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I have about 200 of these (in 20 hours) on my DA:

May 18 21:06:05.183 [warn] crypto error while reading public key from string: too long (in asn1 encoding routines:ASN1_get_object)
May 18 21:06:05.183 [warn] crypto error while reading public key from string: bad object header (in asn1 encoding routines:ASN1_CHECK_TLEN)
May 18 21:06:05.183 [warn] crypto error while reading public key from string: nested asn1 error (in asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE)
May 18 21:06:05.183 [warn] crypto error while reading public key from string: nested asn1 error (in asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I)
May 18 21:06:05.183 [warn] crypto error while reading public key from string: ASN1 lib (in PEM routines:PEM_ASN1_read_bio)
May 18 21:06:05.183 [warn] parse error: Couldn't parse public key.
May 18 21:06:05.183 [warn] Error tokenizing router descriptor.
May 18 21:06:05.183 [warn] Error reading extra-info: signature does not match.

Child Tickets

Change History (12)

comment:1 Changed 8 years ago by linus

These are related, starting and stopping at approx the same time:

May 18 06:11:00.825 [warn] crypto error while checking RSA signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
May 18 06:11:00.825 [warn] crypto error while checking RSA signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
May 18 06:11:00.825 [warn] Error reading router descriptor: invalid signature.

I have 1789 of these during this period, May 18 06:05 CEST through May 19 03:12 CEST.

comment:2 Changed 8 years ago by linus

Component: - Select a componentTor Directory Authority

comment:3 Changed 8 years ago by arma

Status: newneeds_information

Any other hints?

I'm inclined to close as "no idea what happened, but the Tor network seems to still work."

comment:4 Changed 8 years ago by ln5

Haven't seen this since. Definitely not during the last two months and most probably not earlier than that either.

comment:5 Changed 8 years ago by nickm

Milestone: Tor: unspecified

comment:6 Changed 7 years ago by nickm

Keywords: tor-auth added

comment:7 Changed 7 years ago by nickm

Component: Tor Directory AuthorityTor

comment:8 Changed 7 years ago by hexa-

Got one of these just this morning:

10:26:46 [WARN] crypto error while checking RSA signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
10:26:46 [WARN] crypto error while checking RSA signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)

Just the two, though.

comment:9 Changed 7 years ago by nickm

Is there any warning message right after that one? That sequence of log messages says that there was a problematic signature, but it doesn't say where.

comment:10 Changed 7 years ago by Logforme

Got the same warnings twice the same day. Never seen before or after. No other notifications or warnings in the log:

Mar 07 06:28:45.000 [notice] Tor 0.2.3.25 (git-3fed5eb096d2d187) opening new log file.
Mar 07 18:11:15.000 [warn] crypto error while checking RSA signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
Mar 07 18:11:15.000 [warn] crypto error while checking RSA signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
Mar 07 19:59:04.000 [warn] crypto error while checking RSA signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
Mar 07 19:59:04.000 [warn] crypto error while checking RSA signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)

comment:11 Changed 2 years ago by dgoulet

Keywords: tor-dirauth added; tor-auth removed

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

comment:12 Changed 2 years ago by nickm

Keywords: easy log-severity added
Severity: Normal
Status: needs_informationnew

I think these log warnings are uselessly severe. It would be better to lower the severity that we are passing to crypto_log_errors(): we shouldn't warn the user just because we couldn't read a key or verify a signature somewhere or other.

That's not quite enough, though: we'll need to make sure that the other functions in Tor that call the relevant functions in crypto.c are logging better warnings at a more appropriate level.

Note: See TracTickets for help on using tickets.